overwraith Posted December 1, 2013 Posted December 1, 2013 (edited) Run for the hills! All is lost! Abandon all hope! I would make a small example program on my own PC/Laptop, and demonstrate what SQL injection is, and what it can do. Just don't do anything to the database (the company's) in question, because you can break things. Also, might want to only tell management, because you don't want anyone else to know how to hack the company. What are you afraid of getting in trouble for specifically? If you have access to the company's code, then you can clearly see for yourself that the site is vulnerable to SQL injection. If you do not have access to the code, how did you discover the flaw? If it was a faulty input situation you can explain that. If you did discover the flaw by actively penetration testing the company without authorization, you might want somebody else to discover this flaw. Edited December 1, 2013 by overwraith Quote
digip Posted December 1, 2013 Posted December 1, 2013 Is the flaw specific to the site or some software general? If the flaw is in all versions of a specific web app or software, you notify the vendor of the web app or specific software(if one wasn't already published for the same version this site is running), as well as people like Sans, CERT, with proof of concept and if that doesn't get it fixed or the vendor ignores the flaw, you go public with it to places like OSVDB, EDB and Packet Storm as well as the Full Disclosure mailing list - http://seclists.org/fulldisclosure/ but you LEAVE OUT the site in question you found the flaw on. If after that, the flaw remains, you can try contacting the companies' abuse, noc, or security department if email addresses are listed, which you may or may not be able to find via their site or even WhoIs info for contacts. Tread lightly. Quote
overwraith Posted December 1, 2013 Posted December 1, 2013 There are also ways to anonymously inform the company in question about their problem. I like to use anonymous email applications, but that's just me. Can't speak to the anonymous email apps security. Quote
mreidiv Posted December 1, 2013 Author Posted December 1, 2013 (edited) i fired up tor and drop a comment in the contact us page. Thanks guys. Edited December 1, 2013 by mreidiv Quote
newbi3 Posted December 2, 2013 Posted December 2, 2013 Include some links about what it is, why its a problem, and how to get it fixed. Also be sure to include steps for them to re-produce what you have done Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.